Dawn Rock, Chief Compliance Officer, Encompass Health
Ask any compliance professional what keeps her awake at night, and you’ll inevitably hear, “I don’t know what I don’t know.” Historically, that statement applied to undiscovered risks to the company that lurked just below the surface. In more recent times, however, the statement may equally apply to the technological advances that have invaded the healthcare field. In healthcare, as in any other business, leaders are often looking for technical solutions to simplify the work of their employees, bring about efficiencies, drive patient compliance and provide patient satisfaction. This is sharply apparent with the increased use of medical smart devices and the commandeering Internet of Things (IoT) into the healthcare arena. These and other technological advances have resulted in the need for greater controls, especially as it concerns patient privacy. Many healthcare compliance professionals may also need to expand their knowledge of technology to fully appreciate the potential risks these items can pose.
The IoT has the potential to improve patient health by promoting preventive care, advancing care management and population health management, and turning data into actionable measures. From its unassuming induction in the world of healthcare, when the IoT consisted of little more than wearable biometric sensors, automated medication dispensers, and remote monitoring, to its barely conceivable future, which could consist of activity trackers notifying a person’s physician of an impending health event even before the individual experiences any symptoms, IoT in healthcare is fueled by data, specifically electronic protected health information (ePHI). And with more and more medical devices collecting and transmitting ePHI, increased mobility of such devices, and the reliance on cloud-based technology to store transmitted data, healthcare compliance professionals must ensure appropriate controls are in place to protect ePHI and processes exist to identify and mitigate the potential consequences of a breach related to these advancing technologies.
"The IoT has the potential to improve patient health by promoting preventive care, advancing care management and population health management, and turning data into actionable measures"
Knowing how to manage the risks that are inherent in the electronic transfer of ePHI using these emerging technologies requires more than a passing understanding of how the systems operate – both independently and interdependently – along with their intended purpose and the spans of systems capability. In a field largely dominated by individuals whose backgrounds are rooted in law, nursing and quality, few healthcare compliance professionals may be able to immediately identify or fully understand the novel dangers posed by, or because of, the new technology. Whenever a new technology is being implemented, a crash course on the system itself is the first step in appropriately managing potential risks. Smart Compliance Officers involve themselves in early discussions, prior to actual system implementation or adoption of new processes, to begin conceptualizing potential risks at the outset. Healthcare compliance professionals should also partner closely with their CIO/BIO or other information technology personnel to ensure they fully understand all the capabilities of the system, even if all features won’t immediately be put to use so that they can fully appreciate the potential for any breaches or other compliance failures. And they should always be mindful of scope creep, that is, the slow extension of the system’s intended use over time, often in ways that could compromise controls that were originally put in place.
Finally, in a world where technology often outpaces regulatory guidance, healthcare compliance professionals must consider regulatory expectations when developing controls for new technologies. Compliance Officers should ask themselves whether they are doing enough to ensure that risks will be appropriately surfaced and managed, and consistently monitor to ensure that regulatory expectations are regarded as further advances become available.